mainframe [z/OS] reverse engineering and exploit development

Chad RikansrudDirector, North AmericaRSM Partners

about me

i used to

but now i

and teach mainframe hacking

so pretty much i

hack gibsons for a living

at mainframe security hq

Mainframe Experts• Pentesting• Assessments• Software• Red Team Augmentation

the machinearchitecture

what most people think

what media thinks

what it really is

it’s important

how important?

•87% of global payments – $8 trillion value•29 billion ATM transactions - $5 billion annually•4 billion passenger flights annually•30 billion total transactions daily•Big numbers – break it down

• $8 Trillion (4 commas) GDP: U.K. + France + India + Brazil

• 919 ATM transactions/second - $158/second

• 7,610 Passenger flights/minute

• 347,222 Total transactions/second – 8.5x > Google

• It’s important

an analogy

today is full stack / devops

mainframe style

z/architecture and z/os termsjust the basics

not going into

• CICS

• TSO/e

• Datasets

• ESM (RACF, TSS, ACF/2)

• see loads of other talks, presenations and content by:• myself• @mainframed767• @ayoul3__

changing cpu state

problem(subset of instructions)

supervisor(all the instructons)

MODESET -> SVC107 -> LCTL CR03 -> 00C0

PSW mode and storage key protection

• supervisor vs problem state• PSW – program status word (summary of system flags, settings, EIP)• basically - some vs all CPU instructions

changing access storage key

non - zero(r/w limited to same key)

00(r/w all the memory)

MODESET -> SVC107 -> LCTL CR03 -> 00C0

PSW mode and storage key protection

• supervisor vs problem state• PSW – program status word• basically - some vs all CPU instructions

• storage (memory) key• 0-15 – PSW current storage key• PSW key must match (or be 0) storage key

how it works in z/os

• system startup processes (IPL)• supervisor by design

• SVC / PC (privileged system calls)• SVC – supervisor call• PC – program call

• APF authorized library list• static and dynamic list of libraries (folders)

authorized program facility list (apf)SYS1.LINKLIB

SYS1.LPALIB

USER.LIBRARY1

PGM.LIBRARY1

PGM.LIBRARY2

if you can edit this list, or update one of these libraries:game over}

vulnerabiltiessome unique, some familiar

poorly written SVC or PC

untrusted parameters

source parm address:

0x81FF3C0 KEY 8

read or writew/o using

source or dest keydest return

address:0x8FF3F03 KEY 0

CALL

RETURN

buffer overflows

return address

jump address

error routine

critical data

input datapgm variable

pgm variable

pgm variable

pgm variable

program read w/o bounds

checking

allocated pgm storage overflowed storage

intentional backdoors

actionType

secretCode

jumpAddress

saveArea

programparameters check sekrets

good sekret?

console error

yesno

input

the toolsbad, badder, baddest, really quite good

DBXlike GDB, but not nearly as fun

debug toolreally just here for the colors

ASMIDFafter hella modifications, can be somewhat useful

TSO/e TESTlearn it for the same reason you learned ‘ed’

z/XDCthe real contender (non-IBM)

reversing and exploitingwonder what this vendor-provided svc does?

Untrusted parameters and registers

DEMO

Just a backdoor

DEMO

putting it all together

DEMO

further researchwhere to go from here?

black hat sound bytes

•mainframe is just another computer• it isn’t COBOL• it pretty much runs the financial infrastructure of the planet• oh, and also the airlines, government and healthcare• the security posture could be good, but isn’t yet•most vulnerabilities work here, with some variation• get a pentest, assessment at least annually

reading - info

• Vulnerability patterns on z/OS(http://events.share.org/Summer2017/Public/SessionDetails.aspx?FromPage=Speakers.aspx&SessionID=3401&nav=true&Role=U%27)

• z/Architecture Principles of Operations(https://www-01.ibm.com/support/docview.wss?uid=isg2b9de5f05a9d57819852571c500428f9a)

• z/XDC Debugger(http://colesoft.com/zxdc/)

thank you

Contact Info:Chad RikansrudDirector, N.A. Operationschadr@rsmpartners.com@bigendiansmalls